fix: align release artifact SPDX and intoto filenames with primary artifacts

[Copilot]

Description

Release SPDX and intoto attestation files had misaligned names due to Maven's spdx-maven-plugin default naming (com.hack23.cia_cia-dist-deb-VERSION.spdx.json). These should follow the convention <artifact>.spdx.json to match their parent artifacts.

Before:

cia-dist-deb-2026.3.23.all.deb
cia-dist-deb-2026.3.23.all.deb.intoto.jsonl
com.hack23.cia_cia-dist-deb-2026.3.23.spdx.json          ← misaligned
com.hack23.cia_cia-dist-deb-2026.3.23.spdx.json.intoto.jsonl

After:

cia-dist-deb-2026.3.23.all.deb
cia-dist-deb-2026.3.23.all.deb.intoto.jsonl
cia-dist-deb-2026.3.23.all.deb.spdx.json                 ← aligned
cia-dist-deb-2026.3.23.all.deb.spdx.json.intoto.jsonl

• release.yml: Added post-build step to copy SPDX files from Maven default names to artifact-aligned names. Updated sbom-path references in attestation steps and artifact upload list.
• WORKFLOWS.md: Updated documentation to reflect new naming convention.

Type of Change

Primary Changes

• 🐛 Bug Fix

Political Analysis

Technical Changes

• 🏗️ Infrastructure
  • Configuration Updates
• 📝 Documentation
  • Technical Documentation

Impact Analysis

Political Analysis Impact

• Impact on data quality: None
• Impact on analysis accuracy: None
• Impact on transparency features: Improved — SPDX/SBOM files now clearly associated with their artifacts

Technical Impact

• Performance impact: None
• Security implications: SBOM attestation integrity preserved; cp -v ensures failures are visible
• Dependency changes: None

Testing

• Security compliance verified
• Workflow is workflow_dispatch triggered — validated via YAML syntax check and structural review

Documentation

• Package/module documentation updated

Screenshots

Related Issues

Checklist

• Code follows project coding standards
• Comments are clear and helpful
• Documentation is updated
• Tests are passing
• Security compliance is maintained
• Performance impact is acceptable
• Breaking changes are documented
• Changes are backward compatible

Additional Notes

Security Considerations

• No sensitive data exposed
• Security best practices followed
• Compliance requirements met

Release Notes

Release artifact filenames for SPDX and intoto attestations now follow <artifact>.spdx.json / <artifact>.spdx.json.intoto.jsonl convention, aligned with their parent DEB/WAR artifacts.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA b57c84e.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud